yeah facing issues while logging to the user portal. On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <[email protected]> wrote:
> With UserRole you can only login to UserPortal, not webadmin. Do you have > this issue when you try to login to UserPortal? > > > On 09/23/2015 09:22 AM, Budur Nagaraju wrote: > > Provided the "user role" permissions still same issue > > On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <[email protected]> > wrote: > >> Hi, >> >> your user [email protected] doesn't have appropriate permissions to login. >> First you need to login as 'admin@internal' and assign him some >> permissions, then you will be able to login. >> >> Ondra >> >> >> On 09/23/2015 09:15 AM, Budur Nagaraju wrote: >> >> HI All, >> >> After rectifying this able to search the domain in the users in UI, >> but unable to login getting the below error , >> >> >> 2015-09-23 12:41:47,482 WARN >> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] >> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for >> user <[email protected]>[email protected]. Reasons: >> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >> >> Thanks, >> Nagaraju >> >> >> >> >> >> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < <[email protected]> >> [email protected]> wrote: >> >>> Hi, >>> >>> as Alon already said, you have trailing space in your configuration >>> >>> 'my.abc.net ' <-- space at the end >>> >>> Please remove this space and try again. >>> >>> Ondra >>> >>> >>> On 09/23/2015 05:35 AM, Budur Nagaraju wrote: >>> >>> HI Alon, >>> >>> Tried all the options but no luck , >>> >>> I have copied the logs in the pastebin below is the link , warning >>> message is that unable to resolve the DNS ,let me know any help would I get >>> . >>> >>> http://pastebin.com/7qN9QnHK >>> >>> Thanks, >>> Nagaraju >>> >>> >>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < >>> <[email protected]>[email protected]> wrote: >>> >>>> Hello Budur, >>>> >>>> I've done this recently. Alon, no offense, but the docs are not quite >>>> strait forward... >>>> >>>> Requirements: >>>> - LDAP server (obviously) - called here ldap.mydomain.com >>>> - LDAP bind account - called here [email protected], password >>>> 'Passw@rd' >>>> - At least one existing account in ladp, called <[email protected]> >>>> [email protected] >>>> >>>> Please note, the most common issue will be DNS. >>>> >>>> I'll describe in short what steps need to be taken. All this needs to >>>> be done on your engine host. In the end this was quite easy :) >>>> >>>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and >>>> openldap-clients (these are only for testing your setup) >>>> 2. Test if ldap is working in general. (The extension uses the global >>>> catalog at least for AD, this was news to me): >>>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// >>>> ldap.mydomain.com:3268/ -x \ >>>> -D ' <[email protected]>[email protected]' -w Passw@rd -b '' >>>> '(userPrincipalName= <[email protected]>[email protected])' cn >>>> userPrincipalName >>>> >>>> If this command does not return details of the user, do debug your >>>> ldap and continue once this works. Example: >>>> >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <> with scope subtree >>>> # filter: (userPrincipalName= <[email protected]>[email protected]) >>>> # requesting: cn userPrincipalName >>>> # with pagedResults control: size=1024 >>>> # >>>> >>>> # Some Name, some-ou, mydomain.com >>>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com >>>> cn: Some Name >>>> userPrincipalName: <[email protected]>[email protected] >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= >>>> pagedresults: cookie= >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> >>>> 3. Copy the examples as mentioned from the readme. >>>> 4. You only need to modify >>>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. >>>> 5. There, set: >>>> >>>> vars.domain = ldap.mydomain.com >>>> vars.user = ldap@${global:vars.domain} >>>> vars.password = Passw@rd >>>> >>>> 6. Restart ovirt engine service >>>> 7. Log in as admin@einternal and add user rights and roles from the >>>> new provider >>>> >>>> Hope this helps. >>>> >>>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote: >>>> > >>>> > below are the three files which I have modified. >>>> > >>>> > >>>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties >>>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = >>>> cloudspin-authn >>>> > ovirt.engine.extension.bindings.method = jbossmodule >>>> > ovirt.engine.extension.binding.jbossmodule.module = >>>> > org.ovirt.engine-extensions.aaa.ldap >>>> > ovirt.engine.extension.binding.jbossmodule.class = >>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>> > ovirt.engine.extension.provides = >>>> org.ovirt.engine.api.extensions.aaa.Authn >>>> > ovirt.engine.aaa.authn.profile.name < >>>> http://ovirt.engine.aaa.authn.profile.name> >>>> > = cloudspin >>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth >>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>>> > >>>> > >>>> > [root@cstlb2 extensions.d]# ls >>>> > profile1-authn.properties profile1-authz.properties >>>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties >>>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = >>>> cloudspin-authz >>>> > ovirt.engine.extension.bindings.method = jbossmodule >>>> > ovirt.engine.extension.binding.jbossmodule.module = >>>> > org.ovirt.engine-extensions.aaa.ldap >>>> > ovirt.engine.extension.binding.jbossmodule.class = >>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>> > ovirt.engine.extension.provides = >>>> org.ovirt.engine.api.extensions.aaa.Authz >>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>>> > [root@cstlb2 extensions.d]# >>>> > >>>> > >>>> > >>>> > [root@cstlb2 aaa]# pwd >>>> > /etc/ovirt-engine/aaa >>>> > [root@cstlb2 aaa]# ls >>>> > ldap1.properties >>>> > [root@cstlb2 aaa]# cat ldap1.properties >>>> > # >>>> > # Select one >>>> > # >>>> > include = <openldap.properties> >>>> > #include = <389ds.properties> >>>> > #include = <rhds.properties> >>>> > #include = <ipa.properties> >>>> > #include = <iplanet.properties> >>>> > #include = <rfc2307.properties> >>>> > #include = <rfc2307-openldap.properties> >>>> > >>>> > # >>>> > # Server >>>> > # >>>> > vars.server = my.abc.net <http://my.abc.net> >>>> > >>>> > # >>>> > # Search user and its password. >>>> > # >>>> > vars.user = >>>> > >>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net >>>> > vars.password = company >>>> > >>>> > pool.default.serverset.single.server = ${global:vars.server} >>>> > pool.default.auth.simple.bindDN = ${global:vars.user} >>>> > pool.default.auth.simple.password = ${global:vars.password} >>>> > >>>> > # Create keystore, import certificate chain and uncomment >>>> > # if using ssl/tls. >>>> > #pool.default.ssl.startTLS = true >>>> > #pool.default.ssl.truststore.file = >>>> ${local:_basedir}/${global:vars.server}.jks >>>> > #pool.default.ssl.truststore.password = changeit >>>> > [root@cstlb2 aaa]# >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <[email protected]> >>>> [email protected] >>>> > <mailto: <[email protected]>[email protected]>> wrote: >>>> > >>>> > >>>> > >>>> > ----- Original Message ----- >>>> > > From: "Budur Nagaraju" < <[email protected]>[email protected] >>>> <mailto: <[email protected]>[email protected]>> >>>> > > To: "Alon Bar-Lev" < <[email protected]>[email protected] >>>> <mailto: <[email protected]>[email protected]>> >>>> > > <cc%[email protected]>Cc:[email protected] <mailto: >>>> <[email protected]>[email protected]> >>>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM >>>> > > Subject: Re: [ovirt-users] LDAP Authentication >>>> > > >>>> > > its too complicated ,you have any script or video ? >>>> > >>>> > in 3.6 we have a setup script. >>>> > for now: >>>> > >>>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ >>>> > >>>> > this is written in the README. >>>> > >>>> > then customize files at /etc/ovirt-engine/extnesions.d/* >>>> > /etc/ovirt-engine/aaa/* to match your setup >>>> > >>>> > > >>>> > > >>>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < >>>> <[email protected]>[email protected] <mailto: <[email protected]> >>>> [email protected]>> wrote: >>>> > > >>>> > > > >>>> > > > >>>> > > > ----- Original Message ----- >>>> > > > > From: "Budur Nagaraju" < <[email protected]> >>>> [email protected] <mailto: <[email protected]>[email protected]>> >>>> > > > > To: "Alon Bar-Lev" < <[email protected]>[email protected] >>>> <mailto: <[email protected]>[email protected]>> >>>> > > > > <Cc:[email protected]>Cc:[email protected] <mailto: >>>> <[email protected]>[email protected]> >>>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM >>>> > > > > Subject: Re: [ovirt-users] LDAP Authentication >>>> > > > > >>>> > > > > HI Alon, >>>> > > > > >>>> > > > > Below is the configuration which I have done ,but unable to >>>> search the >>>> > > > > users in UI >>>> > > > > can you pls help me ? >>>> > > > >>>> > > > you need three files, see the >>>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple >>>> > > > >>>> > > > > >>>> > > > > >>>> > > > > [root@cstlb2 aaa]# cat ldap1.properties >>>> > > > > # >>>> > > > > # Select one >>>> > > > > # >>>> > > > > include = <openldap.properties> >>>> > > > > #include = <389ds.properties> >>>> > > > > #include = <rhds.properties> >>>> > > > > #include = <ipa.properties> >>>> > > > > #include = <iplanet.properties> >>>> > > > > #include = <rfc2307.properties> >>>> > > > > #include = <rfc2307-openldap.properties> >>>> > > > > >>>> > > > > # >>>> > > > > # Server >>>> > > > > # >>>> > > > > vars.server =my.abc.net <http://my.abc.net> >>>> > > > > >>>> > > > > # >>>> > > > > # Search user and its password. >>>> > > > > # >>>> > > > > vars.user = >>>> > > > > >>>> > > > >>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net >>>> > > > > vars.password = company1 >>>> > > > > >>>> > > > > pool.default.serverset.single.server = ${global:vars.server} >>>> > > > > pool.default.auth.simple.bindDN = ${global:vars.user} >>>> > > > > pool.default.auth.simple.password = ${global:vars.password} >>>> > > > > >>>> > > > > # Create keystore, import certificate chain and uncomment >>>> > > > > # if using ssl/tls. >>>> > > > > #pool.default.ssl.startTLS = true >>>> > > > > #pool.default.ssl.truststore.file = >>>> > > > > ${local:_basedir}/${global:vars.server}.jks >>>> > > > > #pool.default.ssl.truststore.password = changeit >>>> > > > > [root@cstlb2 aaa]# >>>> > > > > >>>> > > > > >>>> > > > > >>>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < >>>> <[email protected]>[email protected] <mailto: <[email protected]> >>>> [email protected]>> wrote: >>>> > > > > >>>> > > > > > >>>> > > > > > >>>> > > > > > ----- Original Message ----- >>>> > > > > > > From: "Budur Nagaraju" < <[email protected]> >>>> [email protected] <mailto: <[email protected]>[email protected]>> >>>> > > > > > > <To:[email protected]>To:[email protected] <mailto: >>>> <[email protected]>[email protected]> >>>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM >>>> > > > > > > Subject: [ovirt-users] LDAP Authentication >>>> > > > > > > >>>> > > > > > > HI All, >>>> > > > > > > >>>> > > > > > > Can someone help me in configuring LDAP authentication >>>> for Ovirt ? >>>> > > > > > >>>> > > > > > Please review: >>>> > > > > > <http://www.ovirt.org/Features/AAA> >>>> http://www.ovirt.org/Features/AAA >>>> > > > > > >>>> > > > > > >>>> > > > >>>> <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0> >>>> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 >>>> > > > > > >>>> > > > > >>>> > > > >>>> > > >>>> > >>>> > >>>> >>>> -- >>>> Daniel Helgenberger >>>> m box bewegtbild GmbH >>>> >>>> P: +49/30/2408781-22 >>>> F: +49/30/2408781-10 >>>> >>>> ACKERSTR. 19 >>>> D-10115 BERLIN >>>> >>>> >>>> www.m-box.de www.monkeymen.tv >>>> >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >>>> >>> >>> >>> >>> _______________________________________________ >>> Users mailing >>> [email protected]http://lists.ovirt.org/mailman/listinfo/users >>> >>> >>> >> >> > >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
